IBM T. J. Watson Research Schagen 33
3461 GL Linschoten Netherlands
EMail: wijnen@vnet.ibm.com Phone: +31-348-432-794
Randy Presuhn BMC Software, Inc
1190 Saratoga Avenue, Suite 130 San Jose, CA 95129-3433
USA
EMail: rpresuhn@bmc.com Phone: +1-408-556-0720
Keith McCloghrie Cisco Systems, Inc.
170 West Tasman Drive San Jose, CA 95134-1706 USA
EMail: kzm@cisco.com Phone: +1-408-526-5260
APPENDIX A - Installation A.1. Installation Parameters
During installation, an authoritative SNMP engine which supports this View-based Access Control Model SHOULD be configured with several initial parameters. These include for the View-based Access Control Model:
1) A security configuration
The choice of security configuration determines if initial
configuration is implemented and if so how. One of three possible choices is selected:
- initial-minimum-security-configuration - initial-semi-security-configuration - initial-no-access-configuration
In the case of a initial-no-access-configuration, there is no initial configuration, and so the following steps are irrelevant.
2) A default context
One entry in the vacmContextTable with a contextName of "" (the empty string), representing the default context. Note that this table gets created automatically if a default context exists.
no privacy support privacy support --- vacmContextName "" ""
3) An initial group
One entry in the vacmSecurityToGroupTable to allow access to group "initial".
no privacy support privacy support --- vacmSecurityModel 3 (USM) 3 (USM)
vacmSecurityName "initial" "initial"
vacmGroupName "initial" "initial"
vacmSecurityToGroupStorageType anyValidStorageType anyValidStorageType vacmSecurityToGroupStatus active active
4) Initial access rights
Three entries in the vacmAccessTable as follows:
- read-notify access for securityModel USM, securityLevel
"noAuthNoPriv" on behalf of securityNames that belong to the group "initial" to the <restricted> MIB view in the default context with contextName "".
- read-write-notify access for securityModel USM, securityLevel "authNoPriv" on behalf of securityNames that belong to the group "initial" to the <internet> MIB view in the default context with contextName "".
- if privacy is supported,
read-write-notify access for securityModel USM, securityLevel "authPriv" on behalf of securityNames that belong to the group "initial" to the <internet> MIB view in the default context with contextName "".
That translates into the following entries in the vacmAccessTable.
Those columns marked with (index) are index-only objects and are not really present in this table.
- One entry to be used for unauthenticated access (noAuthNoPriv):
no privacy support privacy support --- vacmAccessContextPrefix "" ""
vacmGroupName (index) "initial" "initial"
vacmSecurityModel (index) 3 (USM) 3 (USM) vacmAccessSecurityLevel noAuthNoPriv noAuthNoPriv vacmAccessReadViewName "restricted" "restricted"
vacmAccessWriteViewName "" ""
vacmAccessNotifyViewName "restricted" "restricted"
vacmAccessStorageType anyValidStorageType anyValidStorageType vacmAccessStatus active active
- One entry to be used for authenticated access but without privacy (authNoPriv):
no privacy support privacy support --- vacmAccessContextPrefix "" ""
vacmGroupName (index) "initial" "initial"
vacmSecurityModel (index) 3 (USM) 3 (USM) vacmAccessSecurityLevel authNoPriv authNoPriv vacmAccessReadViewName "internet" "internet"
vacmAccessWriteViewName "internet" "internet"
vacmAccessNotifyViewName "internet" "internet"
vacmAccessStorageType anyValidStorageType anyValidStorageType vacmAccessStatus active active
- One entry to be used for authenticated access with privacy (authPriv):
no privacy support privacy support --- vacmAccessContextPrefix ""
vacmGroupName (index) "initial"
vacmSecurityModel (index) 3 (USM) vacmAccessSecurityLevel authPriv vacmAccessReadViewName "internet"
vacmAccessWriteViewName "internet"
vacmAccessNotifyViewName "internet"
vacmAccessStorageType anyValidStorageType vacmAccessStatus active
5) Two MIB views, of which the second one depends on the security configuration.
- One view, the <internet> view, for authenticated access:
- the <internet> MIB view is the following subtree:
"internet" (subtree 1.3.6.1)
- A second view, the <restricted> view, for unauthenticated access. This view is configured according to the selected security configuration:
- For the initial-no-access-configuration there is no default initial configuration, so no MIB views are pre-scribed.
- For the initial-semi-secure-configuration:
the <restricted> MIB view is the union of these subtrees:
(a) "system" (subtree 1.3.6.1.2.1.1) [RFC1907]
(b) "snmp" (subtree 1.3.6.1.2.1.11) [RFC1907]
(c) "snmpEngine" (subtree 1.3.6.1.6.3.7.2.1) [RFC2261]
(d) "snmpMPDStats" (subtree 1.3.6.1.6.3.8.2.1) [RFC2262]
(e) "usmStats" (subtree 1.3.6.1.6.3.9.2.1) [RFC2264]
- For the initial-minimum-secure-configuration:
the <restricted> MIB view is the following subtree.
"internet" (subtree 1.3.6.1)
This translates into the following "internet" entry in the vacmViewTreeFamilyTable:
minimum-secure semi-secure - vacmViewTreeFamilyViewName "internet" "internet"
vacmViewTreeFamilySubtree 1.3.6.1 1.3.6.1 vacmViewTreeFamilyMask "" ""
vacmViewTreeFamilyType 1 (included) 1 (included)
vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType vacmViewTreeFamilyStatus active active
In addition it translates into the following "restricted" entries in the vacmViewTreeFamilyTable:
minimum-secure semi-secure - vacmViewTreeFamilyViewName "restricted" "restricted"
vacmViewTreeFamilySubtree 1.3.6.1 1.3.6.1.2.1.1 vacmViewTreeFamilyMask "" ""
vacmViewTreeFamilyType 1 (included) 1 (included)
vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType vacmViewTreeFamilyStatus active active
vacmViewTreeFamilyViewName "restricted"
vacmViewTreeFamilySubtree 1.3.6.1.2.1.11 vacmViewTreeFamilyMask ""
vacmViewTreeFamilyType 1 (included)
vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active
vacmViewTreeFamilyViewName "restricted"
vacmViewTreeFamilySubtree 1.3.6.1.6.3.7.2.1 vacmViewTreeFamilyMask ""
vacmViewTreeFamilyType 1 (included)
vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active
vacmViewTreeFamilyViewName "restricted"
vacmViewTreeFamilySubtree 1.3.6.1.6.3.8.2.1 vacmViewTreeFamilyMask ""
vacmViewTreeFamilyType 1 (included)
vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active
vacmViewTreeFamilyViewName "restricted"
vacmViewTreeFamilySubtree 1.3.6.1.6.3.9.2.1 vacmViewTreeFamilyMask ""
vacmViewTreeFamilyType 1 (included)
vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active
B. Full Copyright Statement
Copyright (C) The Internet Society (1997). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.